etdump: exit on error if section header or entry offset is OOB
PR: 263663 Reported by: Robert Morris <rtm@lcs.mit.edu> Reviewed by: markj MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D35868
This commit is contained in:
parent
bb1f64b200
commit
ddf77ec392
@ -116,8 +116,8 @@ boot_catalog_valid(char *entry)
|
|||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
dump_section(char *buffer, size_t offset, FILE *outfile, const char *filename,
|
dump_section(char *buffer, size_t bufsize, size_t offset, FILE *outfile,
|
||||||
struct outputter *outputter)
|
const char *filename, struct outputter *outputter)
|
||||||
{
|
{
|
||||||
boot_catalog_section_header *sh;
|
boot_catalog_section_header *sh;
|
||||||
u_char platform_id;
|
u_char platform_id;
|
||||||
@ -125,6 +125,8 @@ dump_section(char *buffer, size_t offset, FILE *outfile, const char *filename,
|
|||||||
size_t entry_offset;
|
size_t entry_offset;
|
||||||
boot_catalog_section_entry *entry;
|
boot_catalog_section_entry *entry;
|
||||||
|
|
||||||
|
if (offset + sizeof(boot_catalog_section_header) > bufsize)
|
||||||
|
errx(1, "%s: section header out of bounds", filename);
|
||||||
sh = (boot_catalog_section_header *)&buffer[offset];
|
sh = (boot_catalog_section_header *)&buffer[offset];
|
||||||
if (outputter->output_section != NULL) {
|
if (outputter->output_section != NULL) {
|
||||||
outputter->output_section(outfile, filename, sh);
|
outputter->output_section(outfile, filename, sh);
|
||||||
@ -135,6 +137,10 @@ dump_section(char *buffer, size_t offset, FILE *outfile, const char *filename,
|
|||||||
if (outputter->output_entry != NULL) {
|
if (outputter->output_entry != NULL) {
|
||||||
for (i = 1; i <= (int)sh->num_section_entries[0]; i++) {
|
for (i = 1; i <= (int)sh->num_section_entries[0]; i++) {
|
||||||
entry_offset = offset + i * ET_BOOT_ENTRY_SIZE;
|
entry_offset = offset + i * ET_BOOT_ENTRY_SIZE;
|
||||||
|
if (entry_offset + sizeof(boot_catalog_section_entry) >
|
||||||
|
bufsize)
|
||||||
|
errx(1, "%s: section entry out of bounds",
|
||||||
|
filename);
|
||||||
entry =
|
entry =
|
||||||
(boot_catalog_section_entry *)&buffer[entry_offset];
|
(boot_catalog_section_entry *)&buffer[entry_offset];
|
||||||
outputter->output_entry(outfile, filename, entry,
|
outputter->output_entry(outfile, filename, entry,
|
||||||
@ -195,8 +201,8 @@ dump_eltorito(FILE *iso, const char *filename, FILE *outfile,
|
|||||||
(uint8_t)entry[0] != ET_SECTION_HEADER_LAST)
|
(uint8_t)entry[0] != ET_SECTION_HEADER_LAST)
|
||||||
break;
|
break;
|
||||||
|
|
||||||
entry_count = dump_section(buffer, offset, outfile, filename,
|
entry_count = dump_section(buffer, sizeof(buffer), offset,
|
||||||
outputter);
|
outfile, filename, outputter);
|
||||||
|
|
||||||
offset += entry_count * ET_BOOT_ENTRY_SIZE;
|
offset += entry_count * ET_BOOT_ENTRY_SIZE;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user